That one is tough, because they are blind to the risk. I try to only work with people who have been burned before or have been around long enough to have seen the aftermath. Let me guess, they are probably telling you "show me the vulnerability", but refuse to delay shipping or fund the PoC.
Best advice is to communicate in writing the most likely risk and threat scenarios, with as much data or extrapolated data as possible. When the security flaws are later discovered, that is data you can refer to.
From what I read, this is what Zoom was like early on. They had amateur hour security and then when s*t hit the fan they beefed it up and retained a security team. I guess you could say it worked for them?
Best advice is to communicate in writing the most likely risk and threat scenarios, with as much data or extrapolated data as possible. When the security flaws are later discovered, that is data you can refer to.
From what I read, this is what Zoom was like early on. They had amateur hour security and then when s*t hit the fan they beefed it up and retained a security team. I guess you could say it worked for them?